Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

Gamaredon and UAC-0226 WinRAR exploitation in Ukrainian organizations

Updated 09.06.2026 15:26
Case score 60
Members 2 First seen 01.06.2026 14:00 Latest activity 09.06.2026 15:26

Overview

**Gamaredon** activity in Ukrainian networks has broadened into a wider **WinRAR CVE-2025-8088** exploitation story that also includes **SHADOW-EARTH-066 (UAC-0226)** operations against Ukrainian organizations. The intrusion paths abuse malicious **RAR** content to gain startup persistence, then branch into **fileless VBScript**, **NTFS Alternate Data Streams**, PowerShell-driven loading, and dedicated follow-on tooling. Available evidence ties the activity to long-term espionage access, document theft, and, in the UAC-0226 chain, browser credential and cookie theft through **GIFTEDCROOK**. The exploitation remained active well after the July 2025 patch release, keeping **WinRAR** remediation and host hunting high-priority for Ukrainian defenders.
Latest development Open development history 2 earlier developments Trend Micro attributes WinRAR exploitation to Earth Dahu and SHADOW-EARTH-066 Trend Micro attributes the WinRAR exploitation against Ukrainian organisations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), saying both groups weaponized CVE-2025-8088 after WinRAR patched it in July 2025. SHADOW-EARTH-066 used crafted RAR archives with hidden ADS payloads, a Startup-folder LNK, a PowerShell loader via cmd.exe, and in-memory DLL loading to launch GIFTEDCROOK, while Earth Dahu used an HTA-to-VBScript chain that delivered espionage modules.
  1. Earlier development

    Earth Dahu exploitation chain remains active on April 10, 2026

    Earth Dahu used CVE-2025-8088 in an HTA-to-VBScript infection chain that delivered espionage modules against Ukrainian organisations, and Trend Micro says RAR internal file timestamps and file naming conventions show the chain remained active through at least April 10, 2026.

  2. Earlier development

    Gamaredon worm hides inside NTFS Alternate Data Streams on Ukrainian networks

    Sekoia identified a Gamaredon worm used against Ukrainian networks that hides its modules in NTFS Alternate Data Streams, relies heavily on fileless VBScript, and begins from a booby-trapped xHTML file that delivers a malicious RAR archive exploiting CVE-2025-8088 in WinRAR. The campaign targets Ukrainian government, military, and critical infrastructure networks for document theft and long-term access, and defenders were advised to update WinRAR to version 7.13 or later and wipe infected systems when cleanup fails.

Signals

Impact signals
CVEs/products
Geographic context
Remediation
Status
Threat context

Threat actor context

4 listed

Malware & tooling context

5 families · 1 tools
Tools

Technical intelligence

Existing Case data

Member happenings

Campaign Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Updated 01.06.2026 14:00 Lead Contribution 57
Objective Espionage Campaign Active Patch Patch Available

The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and preserve access. The operation shifted toward **fileless VBScript** and **NTFS Alternate Data Streams**, reducing on-disk traces and making detection harder. It also used **USB sticks**, **network drives**, and dead-drop command-and-control to spread quietly across compromised environments.

Campaign Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
Updated 09.06.2026 15:26 Scoring Support Contribution 3
Objective Espionage Campaign Active Patch Patch Available

The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year after the patch and enabling stealer and espionage payloads. One chain uses crafted **RAR archives** with hidden **ADS payloads**, a **Startup-folder LNK**, and a **PowerShell** loader to launch **GIFTEDCROOK** and exfiltrate credentials and documents. The other chain uses an **HTA-to-VBScript** sequence to deliver **GammaPhish**, **GammaLoad**, and **GammaSteel**, showing sustained access and a shift to dedicated **C2** infrastructure.